Are Full Scans of Servers a Change?

There has been some recent discussion in my organizations on how to handle vulnerability scanning against production devices. While agents have been installed on all the target devices, my security group would like to run quarterly vulnerability scans.

The issue at hand is how to handle this request. Most people I have spoken to have agreed that “scanning” a server is not a change. It has been argued that it is an operational task. However, we have identified the risk that scans can impact production servers by impacting performance. Because of this risk of impact, some people would like to classify the scanning event as a change.

The risk that we have of classifying the vulnerability scanning event, is that it would set precedence for similar type of events. For example, we could start getting into the business of managing Virus Scans, Altiris Discovery, Hardware/Software Discovery, and other planned operation that may affect service levels as a change. It has been argued that this is not a platform for change.

If that is the case, what is the best way to handle it? Or, how do you handle similar type of events which have known impact, requires approval and notification, but does not fall into an ITIL definition of a change?

A:

Whether or not this is a Change is dependent on how you have structured the data in the CMDB. The implemented Change record should be the driver to update a state or attribute of a CI in the CMDB. If you are tracking “Last Scan Date” in the CMDB, then yes, the Scan would update that field. In which case, it should be handled as a Change request.

Personally, I wouldn’t track that level of detail in a CMDB since it adds little value to my managing the inter-relationships of the IT infrastructure.

What it sounds like you should be doing is opening an Incident. Remember that an Incident isn’t just an outage. It is any event outside the normal operation of a Service that causes, or may cause, an interruption or degradation in quality of that Service.

The scan sounds like an event that is outside the normal operation of a scanned device that might cause a degradation in the quality of the Service reliant on that device.